bomonike

There are several (overlapping) ones.

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

resume-certificate-158x112.png For security professionals, there are several expensive overlapping certification exams, from competing agencies.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

This map from security techo thriller book reviewer Paul Jerimy at
security-cert-landscape
Click for full screen image.

cyberseek.org analyzed openings to identify the popularity of certifications requested: security-certs-requests-528x493.png

  1. ISC2 CISSP
  2. CompTIA Security+
  3. ISACA CISA (Certified Information Systems Auditor)
  4. SANS GIAC (Global Information Assurance Certification)
  5. ISACA CISM (Certified Information Security Manager)
  6. CIPP (Certified Information Privacy Professional) answer 90 multiple-choice questions in 2.5 hours online or at a Pearson VUE test center. Its $550 plus a Maintenance Fee of $250/2 year. It assesses knowledge of U.S. privacy laws and regulations and legal requirements for transferring sensitive personal data to/from the United States, the EU and other jurisdictions.

Upon passing your exam, you will need to purchase a Certification Maintenance Fee to activate your certification, and again for each two-year certification term.

For IAPP members, the fee is built into membership benefits. Non-member test takers are encouraged to purchase the Certification Maintenance Fee at the time of exam purchase so it will activate automatically upon passing the exam.

Other lists:

Glossaries

Real World Penetration Testing

VIDEO: https://cp.tc (Collegiate Penetration Testing Competition) provides for college students a “real-world” enterprise environment. Seeing how such environments are constructed is an education in itself. CPTC is unlike “CTF (capture the flag)” competitions which are focused on technical aspects, the culmination of CPTC is focused on the “real world” aspects of security such as where writing a report to corporate managers about both vulnerabilities and their mitigation.

IAPP

The International Association of Privacy Professionals (iapp.org) costs $295/year ($100 for retired and non-profits) plus $550 per exam:

OCEG

From oceg.org “from the global nonprofit think tank that invented GRC” (Governance, Risk, Compliance) standards:

CCSK

The Certificate of Cloud Security Knowledge (CCSK) is marketed as a complement to other credentials (CCAK, CISA, CISSP, CCSP) by the Seattle-based Cloud Security Alliance (CSA) which also markets training.

QUESTION: The CSA Cloud Trust Protocol Daemon protoype is inactive?

Whizlabs has sample tests but questionable quality with too many double negative questions and answers.

The CCSK is an open-book, online exam, completed in 90 minutes. Purchasing the exam costs $395 (free to veterans) for two test attempts, which you will have 2 years to use. The minimum passing score is 80% of the 60 multiple-choice vendor-neutral questions selected randomly from the CCSK question pool in v4 of the exam available December 1, 2017:

https://www.meetup.com/Cloud-Security-Alliance-Northeast-Ohio-Chapter/events/275707693/ Cloud Security Alliance NorthEast Ohio chapter

Domain 1 Cloud Computing Concepts and Architectures

Domain 2: Governance and Enterprise Risk Management

Domain 3: Legal Issues, Contracts and Electronic Discovery

Domain 4: Compliance and Audit Management

Domain 5: Information Governance

Domain 6: Management Plane and Business Continuity

Domain 7: Infrastructure Security

Domain 8: Virtualization and Containers

Domain 9: Incident Response

Domain 10: Application Security

Domain 11: Data Security and Encryption

Domain 12: Identity, Entitlement, and Access Management

Domain 13: Security as a Service

Domain 14: Related Technologies

Certified Infosec NIST CSF

While it develops a new Cybersecurity Certification Exam, ISACA’s 4-hour CSX-P (Cybersecurity Practitioner) exam, derived from the NIST Cyber Framework was sunsetted on 30 April 2023.

For $674.95 plus $100 annual membership and $399.95 for the required 3-day on-line class or $3,995 on-site class, get the “NIST Cybersecurity Framework Lead Implementer” certification by answering 75% of 65 questions in 70 minutes. Test content, training, and proctoring are all provided by a single profit-making organization: Certified Information Security (https://www.certifiedinfosec.com), founded by Allen Keele.

Domains covered by the test:

  1. Framework Core Functions of the NIST CSF
    • Identify threats and vulnerabilities
    • Protect systems from outside threats
    • Detect threats and system vulnerabilities
    • Respond to and mitigate cyber incidents
    • Recover from incidents and disasters
  2. Framework Implementation Tiers (Cybersecurity Risk Management)
  3. Framework Profiles
  4. Converging NIST CSF into an ISO 27001 Information Security Management System (ISMS).

Crash SuperReview on OReilly.com covers 2 of the 3 day class.

https://learning.oreilly.com/library/view/cybersecurity-career-master/9781801073561/ Cybersecurity Career Master Plan

https://learning.oreilly.com/videos/nist-cybersecurity-framework/9781787782396/ NIST Cybersecurity Framework - A pocket guide

ISC2.org

ISC2.org (a non-profit), publishes a Code of Ethics at https://www.isc2.org/ethics

https://www.isc2.org/Certifications/Qualification-Pathfinder

Prices for exams taken at Pearson Vue test centers:

CC: Certified in Cybersecurity (CC)

This Certified in Cybersecurity (CC) is a new certification for entry-level cybersecurity professionals. $249 USD to get 70% of 100 questions in 2-hours. The domains:

https://my.isc2.org/s/Candidate-Benefits/1MCC-Online-Self-Paced

Omar Santos (of Cisco), author of the comprehensive hackerrepo.org, prepared on OReilly.com a 3 hours 30 minutes video course. He also has a YouTube video on the CC exam.

SSCP

$249 USD SSCP (Systems Security Certified Practitioner)

Course

“Similar to Security+. Prepares you to take the CISSP.”

CGRC

$599 USD CGRC (Certified Government Risk and Compliance) professional – previously CAP (Certified Authorization Professionl) until Feb 23, 2023 – is for individuals with 2+ years of experience being responsible for the implementation and management of information security risk management and compliance programs. Pass 70% of 125 questons over 3 hours at a Pearson VUE Testing Center.

CGRC Content maps to the NIST SP 800-37 RMF (Risk Management Framework) categories:

CGRC is taken from a broad spectrum of vendor-neutral topics in the CGRC Common Body of Knowledge (CBK®) over 7 domains:

  1. Information Security Risk Management Program
    • Control Objectives for Information and Related Technology (COBIT)
    • International Organization for Standardization (ISO) 27001,
    • International Organization for Standardization (ISO) 31000,
    • Federal Information Security Modernization Act (FISMA),
    • Federal Risk and Authorization Management Program (FedRAMP),
    • General Data Protection Regulation (GDPR),
    • Health Insurance Portability and Accountability Act (HIPAA)
  2. Scope of the Information System:
    • Federal Information Processing Standards (FIPS) 199,
    • International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27002,
    • data protection impact assessment
  3. Selection and Approval of Security and Privacy Controls: baseline and inherited controls; control enhancements (e.g., security practices, overlays, countermeasures); continuous control monitoring strategy (e.g., implementation, timeline, effectiveness); Information Security Management System (ISMS)
  4. Implementation of Security and Privacy Controls
    • Information Technology Security Guidance ITSG-33 – Annex 3A,
    • Technical Guideline for Minimum Security Measures,
    • United States Government Configuration Baseline (USGCB),
    • National Institute of Standards and Technology (NIST) checklists,
    • Security Technical Implementation Guides (STIGs)
    • Center for Internet Security (CIS) benchmarks,
    • General Data Protection Regulation (GDPR)
  5. Assessment/Audit of Security and Privacy Controls
    • Risk treatment options (i.e., accept, avoid, transfer, mitigate, share)
  6. Authorization/Approval of Information System
  7. Continuous Monitoring

Gerald Auger, PhD (SimplyCyber.io, publisher of the $30 GRC (Governance, Risk management, and Compliance) Analyst Master Class. The first scholarly research on GRC was published in 2007 where GRC was formally defined as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.” Good governance includes:

CISSP

CISSP-logo- Square-131x131 Even at $749 USD, the Certified Information Systems Security Professional exam (pronouced “sis pee”) is a sought-after technical certification in cybersecurity leaders as the “gold standard” of vendor-neutral cybersecurity certifications. Earning it proves you understand cybersecurity from a management viewpoint -— a requirement if your organization is subject to PCI, GDPR, HIPAA, SOX, ISO 27001, or other regulations.

The first version of the CISSP Common Body of Knowledge (CBK) was finalized in 1992 and the CISSP credential was launched in 1994. Since it’s an internationally recognized, there are questions about cybersecurity regulations in Canada, UK, EU, etc.

Rather than the previous 250 questions over 6 hourse, the CISSP exam is now adaptive, asking 100-150 questions, depending on whether answers are correct. PROTIP: With Adaptive Testing, your objective is to get hard questions. So study as if you’ll get all hard questions. The better you are, the harder the test is. If you aced the first 10 questions, you’ll be put into “brutal mode”. With CAT (Computer Adaptive Testing), the more one aces every question, the quicker she would get done before the 3 hours. VIDEO: This also means you won’t be able to go back and change answers in previous questions answered.

There is a 5 year experience requirement, attested by other professionals after you pass the exam.

The CISSP has 3 different concentrations:

You need to pass at least 70% on each CISSP domain.

CISSP Domains

  1. 16% Security and Risk Management - 334
  2. 10% Asset Security - 44
  3. 13% Security (Architecture and) Engineering - 268
  4. 13% (Communication and) Network Security - 114 on OSI model
  5. 13% Identity and Access Management (IAM) - 82 on biometrics
  6. 12% Security Assessment and Testing - 41 on NIST SP 800-92
  7. 13% Security Operations - 245
  8. 10% Secure Software Security (Development Lifecycle) - 164 includes a demo of ZAP Proxy for fuzzing, Git & GitHub.

Click on “»” in front of each link to reach my notes at https://wilsonmar.github.io/cyber-security

Numbers to the right of his videos are counts of questions in the OReilly/Pearson bank:

Links under each domain title are to Mike Chapple’s 33-hour LinkedIn Learning videos (and on YouTube). He provides detailed, sequenced lectures, updated for the May 2021 BOK. He includes demos of the most popular software. Links to each CISSP domains contains a link to his tutorial on that domain.

Parentheses in domain names contain words removed in the 2023 version of CISSP.

“Every domain is interconnected. It’s swimming with overlap.”

Official flash cards of definitions:

  1. The Information Security Environment - 18 items
  2. Information Asset Security - 17 items
  3. Identity and Access Management (IAM) - 24 items
  4. Security Architecture and Engineering - 48 items
  5. Communication and Network Security - 88 items
  6. Software Development Security - 101 items
  7. Security Assessment and Testing - 18 items
  8. Security Operations - 62 items

https://learning.oreilly.com/search/?q=cissp&type=*&rows=10 Search on OReilly.com

Dean Bushmiller (of ExpandingSecurity.com) has a live CISSP Bootcamp on OReilly.com where he goes over his wiki on GitHub. It contains his glossary, notes, and proprietary visual “mind maps”. 888.225-0888

  1. SRM = Security and Risk Assessment
  2. ANT = Asset Security
  3. SAE = Security Architecture and Engineering
  4. CNS = Communication and Network Security
  5. IAM = Identity and Access Management
  6. KAS = Security Testing and Assessment = Knowledge Asset Security?
  7. OPS = Security Operations
  8. DEV = Security Development Security

BOOK: Practice questions by Mohamed Aly Bouke from Kula Lumpur, Malaysia.

Written References:

Practice Questions:

Not yet updated to CISSP 01 May 2021 changes:

Video prep courses view:

Jerod Brennen created video courses (on LinkedIn Learning) for each domain:

  1. Secure Software Concepts Released Feb 12, 2020 (Confidentiality, Integrity, Availability triad, IAM, design)

  2. Secure Software Requirements

  3. Secure Software Design 1h 48m

  4. Secure Software Implementation/Programming

  5. Secure Software Testing (online and offline)

  6. Secure Lifecycle Management

  7. Secure Deployment, Operations, and Maintenance

  8. Supply Chain and Software Acquisition

Quizzing Tests:

YouTube videos with content index (and ads) by Rob Richa, with John Berti of Destination Certifications:

  1. Security & Risk Management

  2. Asset Classification Privacy:

  3. Identity and Assess Management

  4. Security Architecture and Engineering:
    • Models and Frameworks: https://www.youtube.com/watch?v=qZB6_lp9M30​&t=30s
    • Evaluation Criteria: https://www.youtube.com/watch?v=WqHmDL7YAvw​&t=30s
    • Trusted Computing Base: https://www.youtube.com/watch?v=fwU7n_3h058​&t=30s
    • Vulnerabilities in Systems: https://www.youtube.com/watch?v=fPUypU7ysMw​&t=30s
    • Cloud: https://www.youtube.com/watch?v=-rWQ7YuxiLY​&t=30s
    • Cryptography: https://www.youtube.com/watch?v=LLRaa0kOMDM​&t=30s
    • Digital Certificates, Digital Signatures & PKI: https://www.youtube.com/watch?v=8XKdFSG3ua4​&t=30s
    • Cryptanalysis: https://www.youtube.com/watch?v=pnITDgs63M4​&t=30s
    • Physical Security: https://www.youtube.com/watch?v=7ESQwNJ9HXU​&t=30s

  5. Access Control Overview: https://www.youtube.com/watch?v=BUcoABZzeQ4​&t=30s Single Sign-on & Federated Access: https://www.youtube.com/watch?v=_U4QMIxVk8M​&t=30s

  6. Security Assessment and Testing Overview: https://www.youtube.com/watch?v=eDVZvw5NziA​&t=30s
    • Vulnerability Assessment and Penetration Testing: https://www.youtube.com/watch?v=vZ0S8GdWiIk​&t=30s
    • Logging & Monitoring: https://www.youtube.com/watch?v=cwcARccyWyY​&t=30s

  7. Security Operations:
    • Investigations: https://www.youtube.com/watch?v=Urev5cZgny8​&t=30s - Locard’s Principle: perp. will leave something behind and take something
    • Incident Response: https://www.youtube.com/watch?v=PwxFwndQ7Jk​&t=30s
    • Malware: https://www.youtube.com/watch?v=SVbrRozyIpo​&t=30s
    • Patching & Change Management: https://www.youtube.com/watch?v=xX4U6Lz82Bk​&t=30s
    • Recovery Strategies: https://www.youtube.com/watch?v=DrrfrJBnx28​&t=30s
    • Business Continuity Management (BCM): https://www.youtube.com/watch?v=oAjNL3I_3-E​&t=30s

  8. Secure Software Development (Lifecycle)
    • https://youtu.be/fS5WWjuyFmQ​&t=30s
    • Databases: https://youtu.be/-70DBd6cNDw&t=30s

Bootcamp: 13 day 2 hours each from April 13, 2020 FRSecure CISSP Mentor Program (12th year) streaming by @evanfrancen. S2me.io

8-hour VIDEO CISSP Exam Cram from Pete Zerger’s Inside Cloud and Security (2022 edition)

Posted by SANS Blue Team Ops:

Flash cards:

Suggestions:

CCSP

$599 USD CCSP (Certified Cloud Security Professional).

The Aug 2022 upgrade went to 150 questions in 4 hours (from 3). Results are Pass/Fail, but you must score at least 70% in EACH separate vendor neutral domain:

This PDF has the details.

ccsp.alukos.com is a GitBook-formatted listing with glossary of terms, laws by country, standards by each body, frameworks.

On YouTube:

If you have an OReilly.com subscription:

I think ISC2 is too clever with their questions, past the point of making the test as much about knowing the twisted mind of the test maker rather than understanding the underlying material. I wich that ISC2 test writers see “Advanced” level of “knowledge” as higher order thinking (such as evaluation) rather than teasing out twisted meaning of words in tests.

Bragging:

ISACA.org

ISACA.org was created by CISA, a consortium of cloud companies who also maintains a Vulnerability Catalog, the CAIQ, and hold the Digital Trust World conference. It asks for a $50 test application processing fee, $145 annual membership fee plus up to $50 monthly local chapter dues. Members get a $185 discount to the $760 online, remotely-proctored exam fee to Pearson Vue. Its website uses Salesforce Authenticator for 2FA. There’s also a $45 annual maintenance fee for each certification, plus $50 for each recertification. And costs for $795.95 education by Allan Keele, who created a $495 NIST 2.0 Certified Auditor course/exam for those who already passed the Lead Auditor exam.

Exec Order 14028 update of 13366

ISACA CSX

ISACA’s Cybersecurity Nexus (CSX) Certificates

Zero Point Security CRTO

The Certified Red Team Operator (CRTO) course and certification is 48 hours of lab time spread across a 4 day event where the student has to find and submit 8 flags (6 flags to pass) within Snap Labs.

https://medium.com/@adamgoss/certified-red-team-operator-crto-review-71ea4edef62a

Offensive Security

Offensive Security is a for-profit company offering courses with labs and certifications:

They offer a $5,499/year bundle for unlimited labs and exam attempts.

SANS GIAC

SANS formed the Global Information Assurance Certification (GIAC) program to act as the certification arm for its training courses. GIAC has a roadmap to dozen of exams across eight focus areas. Remote proctoring is offered through ProctorU.

GIAC offers two levels: First attempts at the Practitioner level are $979. At the Applied Knowledge level are “GX” or “Experienced” level exams, it’s $1,299 or $499 if a GIAC is active. Retakes are $100 less. Renewals ar $479 at all levels. The exams and classes by 8 focus areas (Cyber Specialities), listed alphabetically:

</td>
CertDescriptionClassSeq A. Ess B. SM C. CD D. Cloud E. IR F. PT G. OS H. ICS
GASFAdvanced Smartphone Forensics FOR585: Smartphone Forensic Analysis In-Depth? ----X-X-
GAWNAssessing and Auditing Wireless Networks SEC617: Wireless Penetration Testing and Ethical Hacking? -----X--
GBFABattlefield Forensics and Acquisition FOR498: Digital Acquisition and Rapid Triage? ----X-X-
GCCCCritical Controls Certification SEC566: Implementing and Auditing Security Frameworks and Controls? -X-- ----
GCDACertified Detection AnalystSEC555: SIEM with Tactical Analytics? --X- ----
GCEDCertified Enterprise DefenderSEC501? X-X- ----
GCFACertified Forensic Analyst FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics? ----X---
GCFECertified Forensic Examiner FOR500: Windows Forensic Analysis? ----X---
GCFRCloud Forensics Responder FOR509? ---XX---
GCIACertified Intrusion AnalystSEC503? --X- ----
GCIHCertified Incident Handler SEC504: Hacker Tools, Techniques, and Incident Handling3 X-X-XX--
GCIPCritical Infrastructure ProtectionICS456: Essentials for NERC Critical Infrastructure Protection? ---- ---X
GCLDCloud Security Essentials ?SEC488? ---X----
GCPNCloud Penetration Tester SEC588? ---X--X-
GCPMGIAC Certified Project Manager MGT525: Managing Cybersecurity Initiatives & Effective Communication? -X------
GCSACloud Security AutomationSEC540? ---X----
GCTDCloud Threat DetectionSEC541---X-----
GCTICyber Threat Intelligence FOR578 ----X----
GCWNCertified Windows (Security) AdministratorSEC505? --X- ----
GDATDefending Advanced Threats? ---X- ----
GDSADefensible Security ArchitectSEC530: Zero Trust? --X- ----
GEVAEnterprise Vulnerability Assessor -? -----X--
GFACTFoundational Cybersecurity Technologies SEC2751 ---X- ---
GICSPGlobal Industrial Cyber Security ProfessionalICS410: ICS/SCADA Security Essentials? ---- ---X
GIMEiOS and macOS Examiner FOR518: Mac and iOS Forensic Analysis and Incident Response? ----X---
GISFInformation Security FundamentalsSEC3012 X-X- ----
GISPInformation Security ProfessionalLDR414: SANS Training Program for CISSP® Certification? X-X- ----
GLEGLaw of Data Security & Investigations LEG523? -X------
GMLEMachine Learning EngineerSEC595? --X- ----
GMOBMobile (Device Security Analyst) SEC575: iOS and Android Application Security Analysis and Penetration Testing? -----X--
GMON(Continuous) MonitoringSEC511? --X- ----
GNFANetwork Forensic Analyst FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response? ----X---
GOSIOpen Source IntelligenceSEC4874 --X- ----
GPCSPublic Cloud SecuritySEC510? ---X----
GPENPenetration Tester SEC560? -----X--
GPYCPython Coder SEC573: Automating Information Security with Python? -----X--
GREMReverse Engineering Malware FOR610? ----X---
GRIDResponse and Industrial Defense ICS515: ICS Visibility, Detection, and Response? ----X--X
GRTPRed Team Professional SEC565: Red Team Operations and Adversary Emulation? -----X--
GSECSecurity EssentialsSEC4013 X-X- ----
GSLCSecurity Leadership MGT512: Leadership Essentials for Security Managers? -X------
GSNASystems and Network Auditor AUD507: Auditing Systems, Applications, and the Cloud? -X------
GSOCSecurity Operations CertifiedSEC450: Blue Team Fundamentals: Security Operations and Analysis? --X- ----
GSOMSecurity Operations Manager LDR551: Building, Leading, & Managing (SOC) Security Operations Center? --X- ----
GSTRTStrategic Planning, Policy, and Leadership MGT514? -X------
GWAPTWeb Application Penetration Tester SEC542? -----X--
GWEBWeb Application DefenderSEC522? ---X----
GXPNExploit Researcher and Advanced Penetration Tester SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking? -----X--

https://www.sans.org/cyber-academy/vetsuccess/ 100% scholarship for US veterans - 9 months to complete 3 courses

foundation & SAN275

“Applied Knowledge” level exams are named with “GX-“ and “Experienced” in their name:

CertDescriptionClassA. EssB. SMC. CDD. CloudE. IRF. PTG. OSH. ICS
GX-PTExperienced
Penetration Tester		 - -----X--
GX-FAExperienced
Forensic Analyst		 - ----X---
GX-IHExperienced
Incident Handler		---X- ----
GX-CSExperienced
Cyber Security		---X- ----
GX-IAExperienced
Intrusion Analyst		 - -----X--

Based on the NICE framework

CompTIA

So compliance with DoD 8570-2005 retired by NIST DoD Directive 8140.01 means job candidates need to have passed to it to just apply for some government jobs. DoD 8140 expands on DoD 8570 to leverage the Defense Cybersecurity Workforce Framework (DCWF), which draws from the original National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NCWF) and DoD Joint Cyberspace Training and Certification Standards (JCT&CS).

CompTIA certifications were designed for compliance with ISO 17024 standards and approved by the US DoD to meet directive 8140/8570.01-M requirements. Regulators and government rely on ANSI accreditation, because it provides confidence and trust in the outputs of an accredited program. Over 2.3 million CompTIA ISO/ANSI-accredited exams have been delivered since January 1, 2011.

Security+

Security+ exam SY0-601 at comptia.org/certifications/security is described an “entry level” exam. But its detailed coverage of some obscure encryption protocols and tricky questions make it difficult even for professionals.

NOTE: I first answered over 75% the 90-question Security+ March 2020 after studying literally 4 years, on and off. I held off due to its $392 test fee plus annual renewal fees. PROTIP: They offer a $49 annual Club for a $78 discount (20% off all CompTIA products). Students get a 40% discount at a different website.

What helped me get over the intimidation is to seek out the trick questions and delight in them as an intellectual curiosity.

PROTIP: If you have an OReilly subscription, Pearson Practice Test provides filtering to individual exam topic category objectives:

  1. Social Engineering Techniques - 17
  2. Attack Basics - 23
  3. Application Attacks - 20
  4. Network Attacks
  5. Threat Actors, Vectors, and Intelligence Sources
  6. Vulnerabilities
  7. Security Assessment Techniques
  8. Penetration Testing Techniques
  9. Enterprise Security Concepts
  10. Virtualization and Cloud Computing
  11. Secure Application Development, Deployment, and Automation
  12. Authentication and Authorization Design
  13. Cybersecurity Resilience
  14. Embedded and Specialized Systems
  15. Physical Security Controls
  16. Cryptographic Concepts
  17. Secure Protocols
  18. Host and Application Security Solutions
  19. Secure Network Design
  20. Wireless Security Settings
  21. Secure Mobile Solutions
  22. Cloud Cybersecurity Solutions
  23. Identity and Account Management Controls
  24. Authentication and Authorization Solutions
  25. Public Key Infrastructure
  26. Organizational Security
  27. Incident Response
  28. Incident Investigation
  29. Incident Mitigation
  30. Digital Forensics
  31. Control Types
  32. Regulations, Standards, and Frameworks
  33. Organizational Security Policies
  34. Risk Management
  35. Sensitive Data and Privacy

PROTIP: Security+ is vendor-neutral, but to be useful on the job, get trained in specific tools and in cloud computing as well.

Concepts in the five exam objectives are covered in videos by Professor Messer on YouTube:

  1. VIDEO: Threats, Attacks, and Vulnerabilities 1.1 – Social Engineering
    1.2 – Attack Types
    1.3 – Application Attacks
    1.4 – Network Attacks
    1.5 – Threat Actors and Vectors
    1.6 – Vulnerabilities
    1.7 – Security Assessments
    1.8 – Penetration Testing
  2. VIDEO: Architecture and Design 2.1 – Enterprise Security
    2.2 – Virtualization and Cloud Computing
    2.3 – Secure Application Development
    2.4 – Authentication and Authorization
    2.5 – Resilience
    2.6 – Embedded Systems
    2.7 – Physical Security Controls
    2.8 – Cryptographic Concepts
  3. VIDEO: Implementation 3.1 – Secure Protocols
    3.2 – Host and Application Security
    3.3 – Secure Network Designs
    3.4 – Wireless Security
    3.5 – Mobile Security
    3.6 – Cloud Security
    3.7 – Identity and Account Management
    3.8 – Authentication and Authorization Services
    3.9 – Public Key Infrastructure
  4. VIDEO: Operations and Incident Response 4.1 – Security Tools
    4.2 – Incident Response
    4.3 – Investigations
    4.4 – Securing an Environment
    4.5 – Digital Forensics
  5. VIDEO: Governance, Risk, and Compliance (GRC) 5.1 – Security Controls
    5.2 – Regulations, Standards, and Frameworks
    5.3 – Organizational Security Policies
    5.4 – Risk Management
    5.5 – Data Privacy

Josh Madakor of Seattle (a 2020 Western Governors University graduate) offers visitors to his YouTube free 1000 question deck presented by the free Anki Q&A app. NOTE: There is an brew install anki-beta

It references Professor Messer. Also, it’s a teaser for his $497 SOC Analyst video training using Azure cloud hands-on (built using ChatGPT). Topics include building a mini-SOC and other aspects of your security portfolio of NIST 800-53 policies, to apply for a job.

VIDEO: 20-hour CompTIA Security+ Exam Cram - SY0-601 (Full Training Course - All 5 Domains) by Pete Zerger

Among OReilly.com’s prep resources

CompTIA PenTest+

https://www.whizlabs.com/comptia-pentest/

CompTIA CASP+

For those who have pass CompTIA Network+ and Security+ certifications:

CompTIA CASP+ (CompTIA Advanced Security Practioner) exam CAS-004 is for practitioners — not managers — at the advanced skill level of cybersecurity – implementing solutions policies and frameworks.

CASP+ satisfies Baseline Certification for DoD IAT (Information Assurance Technical) Level III, IAM (Information Assurance Management) Level II, and IASAE (Information Assurance Security Architecture and Engineering) level I and II jobs.

Performance-based questions (PBQs) test a candidate’s ability to solve problems in a simulated environment that approximates a virtual environment with a firewall, network diagram, terminal window, or operating system.

At $396 for CompTIA members or $466 USD (or $799 with retake and $849 with Labs), you’ll have 165 minutes (2.5 hours) to answer 90 multiple-choice and “hands-on, performance-based” questions, for pass/fail grading. The domains:

  1. 19% Risk Management
  2. 25% Enterprise Security Architecture
  3. 20% Enterprise Security Operations
  4. 23% Technical Integration of Enterprise Security
  5. 13% Research, Development, and Collaboration

  1. Risk Management

    1: Business and Industry Influences and Risks

    2: Organizational Security Privacy Policies and Procedures

    3: Risk Mitigation Strategies and Controls

    4: Risk Metric Scenarios for Enterprise Security

  2. Enterprise network and Security Architecture

    5: Integrating Network and Security Components, Concepts, and Architectures

    6: Integrating Security Controls for Host Devices

    7: Integrating Controls for Mobile and Small Form Factor Devices

    8: Selecting Software Security Controls

  3. Enterprise Security Operations

    9: Conducting Security Assessments

    10: Selecting the Proper Security Assessment Tools

    11: Implementing Incident Response and Recovery

  4. Technical Integration of Enterprise Security

    12: Integrating Hosts, Storage, and Applications in the Enterprise

    13: Integrating Cloud and Virtualization Technologies in the Enterprise

    14: Integrating and Troubleshooting Advanced AAA Technologies

    15: Implementing Cryptographic Techniques

    16: Secure Communication and Collaboration Solutions

  5. Research, Development and Collaboration

    17: Applying Research Methods for Trend and Impact Analysis

    18: Implementing Security Activities Across the Technology Life Cycle

    19: Interacting Across Diverse Business Units

PROTIP: 12 Flash cards Sample:

CASP+ Practice Tests by Nadean H. Tanner (at Puppet, Metasploit)

O’Reilly Live Video Crash Course by Dean Bushmiller of expandingsecurity.com. Refrence: https://github.com/deanbushmiller/O-CASPv3/wiki from https://github.com/deanbushmiller/O-CASPv3

video 18+ hours released Jan. 2018 by Michael J. Shannon:

Kelly Handerhan’s Cybrary videos

CASP CAS-003 help on Reddit (archived)

Ucertify has good labs

Sybex book has labs as well

Udemy video “Prepatory course for the exam CAS-003”

  1. Understanding Risk Management - 2hr 22min QUIZ
  2. Network and Security - 1hr 55m QUIZ
  3. Implementing Advanced Authentication and Cryptographic Techniques - 1hr 46min QUIZ
  4. Implementing Security for Systems, Applications, and Storage - 2hr 23min QUIZ
  5. Implementing Security for Cloud and Virtualization Technologies - 1hr 45min QUIZ
  6. Utilizing Security Assessments and Incident Response - 1hr 42min QUIZ

Amazon search CAS-003

The Official CompTIA CASP+ Self-Paced Certification Study Guide (Exam CAS-003) Paperback by Jason Nufryk is $219.00

Notes:

Memory dump tools: Memdump, KnTTools on Windows, FATKit

Runtime Debugging: AddressSanitizer, C# Deleaker, Software Verify

Attestation provides evidence about a target to an appraiser so that policy compliance can be determined prior to authorization of access.

The Annualized Loss Expectancy (ALE) is the product of the Annual Rate of Occurrence (ARO) multiplied by the Single Loss Expectancy (SLE).

Bluesnarfing is the unauthorized access of a device by an attacker who is trying to access information on the device.

Hyperconvergence takes convergence a step further by utilizing software to perform integration without requiring hardware changes.

CompTIA CySA+

CompTIA CySA+ “Security Analyst” exam launched April 21, 2020 on Vue & Pearson online $359 to answer 75% of 85 questions in 165 minutes.

VIDEO:

  1. Threat and vulnerability management:

    1. Explain the importance of threat data and intelligence.
    2. Given a scenario, utilize threat intelligene to support organizatoinal security.
    3. Given a scenario, perform vulnerability management activities.
    4. Given a scenario, analyze the output from common vulnerability assessment tools.
    5. Explain the threats and vulnerabilities associated with operating in the cloud.
    6. Given a scenario, implement controls to mitigate attacks and software vulnerabilities.
  2. Software and systems security
    1. Given a scenario, apply security solutions for infastructure management
    2. Explain software assurance best practices
    3. Explain hardware assurance best practices
  3. Security operations and monitoring:
    1. Given a scenario, analyze data as part of security monitoring activities.
    2. Given a scenario, implement configuration changes to existing controls to improve security.
    3. Explain the importance of proactive threat hunting.
    4. Compare and contrast automation concepts and technologies.
  4. Incident response
    1. Explain the importance of the incident response process.
    2. Given a scenario, apply the appropriate incident response procedure.
    3. Given an incident, analyze potential indicators of compromise.
    4. Given a scenario, utilize basic digital forensics techniques.
  5. Compliance and assessment
    1. Understand the importance of data privacy and protection
    2. Given a scenario, apply security concepts in support of organizational risk mitigation
    3. Explain the importance of frameworks, policies, procedures and controls.

Training:

Cisco

Cisco (the networking company) has several certifications attained by 4,000 people world-wide:

The prerequisite is earning the Cisco Certified Specialist - Security Core certification by passing the their 120-minute $400 350-701 SCOR Cisco Security Core Technologies exam.

INE eLearnSecurity

INE offers several certifications:

eJPT

eJPT (eLearnSecurity’s Junior Penetration Tester) is an entry-level hands-on exam to prove that the individual has the knowledge, skills, and abilities required to be a junior Red Team penetration tester on real-world engagements. For $299, candidates have two-attempts at using their 5 machines over 48 hours (two days) to answer 35 questions about enumerating, exploiting, pivoting, and possibly escalating privileges. One candidate said he passed in 6 hours. The fee includes a course with 145+ hours of video content and 121 labs.

EC-Council Penetration Tester

EC-Council (International Council of E-Commerce Consultants) is based in Malaysia. Since 2001 it offers 3 levels of certification. See https://cert.eccouncil.org/faq.html

33% off until Dec 31.

CEH Certified Ethical Hacker

Now at v12, as defined by https://www.eccouncil.org/programs/certified-ethical-hacker-ceh asks 125 multiple-choice questions in 4 hours. Most questions is select from 4 options.

The $1,100 exam is proctored by ECC EXAM (as 312-50) and Pearson VUE (as 312-50), courseware is discounted to $850, with upgrade for VUE exam for $100. from “Aspen iLabs”.

NOTE: The CompTIA PenTest+ is cheaper and doesn’t require 2 years of experience.

Before applying for the exam, ask for a “direct exam” when providing who will verify your experience at https://cert.eccouncil.org/Exam-Eligibility-Form.html and pay $100 to apply at https://store.eccouncil.org/product/eligibility-application-fee/

The form needs to be printed, signed, scanned to a PDF, then emailed.

Don’t pay for the exam until you get approval.

Exam Brochure: https://www.eccouncil.org/wp-content/uploads/2016/07/CEHv10-Brochure.pdf

CEH Candidate Handbook: https://s3-us-west-2.amazonaws.com/edm-image/documents/CEH-Handbook-v2.2.pdf

Blueprint: https://cert.eccouncil.org/images/doc/CEH-Exam-Blueprint-v2.0.pdf

Dean Bushmiller’s “in 2 week” Live Video Course on OReilly.com with GitHub

“Footprinting” is a term EC-Council invented as aka for “reconnaissance”.

CPENT / ECSA

The Advanced level is ECSA: Security Analyst https://www.eccouncil.org/programs/certified-security-analyst-ecsa-practical/ is being phased out in Oct. 2020 in favor of the CPENT (Certified Penetration Testing Professional).

Covers “double pivoting”.

$2199 w/ training, $799 for challenge.

LPT

At the Expert Level is LPT: Licensed Penetration Tester [Master] https://www.eccouncil.org/programs/licensed-penetration-tester-lpt-master/ with training via CPENT.

EC-Council

EC-Council built the Advanced Penetration Testing Cyber Range (ECCAPT).

APISec University

APISec.ai launched from San Francisco August 2022 at +1 415.236.0601 (Twitter: apisecu, LinkedIn, YouTube, Discord) provides FREE training on a list of security-related tools that includes their own API scanner running a sample netbanking app [demo].

APIsec Con with APIDays Paris, France in December 8, 2023. shelby@apisec.ai.

Register to attend at https://university.apisec.ai/library. Each course has quizzes and a certificate of completion.

By Dan Barahona (founder):

apisec-top100-badge-1000x1000.png

By Jason Harmon of #APIIntersection podcast:

By Corey Ball (author of Hacking APIs:



CASA

The $150 CASA (Certified API Security Analyst) exam from APISec University is 100 questions online to “demonstrate your API security expertise.”

ASCP

The $650 API Security Certified Professional exam from APISec University is earned by capturing 6 of 8 flags to “prove your API hacking skills. Perform a penetration test of two API-driven applications by discovering vulnerabilities, exploiting weaknesses, and reporting your findings.”

Prepare for it by taking APISec University’s API Penetration Testing course.

IIBA Cybersecuity Analysis

IIBA, the International Institute of Business Analysis (Pickering, Ontario, Canada), has an affiliation with the IEEE. Membership costs $139/year. For $250 until Oct 31, 2022 then $400/$475 for members/non-members, it offers the CCA (Certification in Cybersecurity Analysis) among its 6 other certifications administered online by PSI. IIBA does not disclose the score needed to pass, scores attained, nor scoring percentages.

As of Aug 2022, 266 CCA attendees had 90 minutes to answer 75 multiple-choice questions in these Knowledge Areas:

AWS Security

See my notes at https://wilsonmar.github.io/aws-security

Microsoft SC-900 & AZ-500

PDF: Updated Jan 21, 2021 Microsoft’s AZ-500 Azure Security Technologies Associate online exam for people who maintain security posture, identify and remediate vulnerabilities by using a variety of security tools, implement threat protection, and respond to security incident escalations. Domains:

  1. Manage Identity and Access (30-35%)
  2. Implement Platform Protection (15-20%)
  3. Manage Security Operations (25-30%)
  4. Secure data and applications (20-25%) (Policy and Data Infrastucture & Data at Rest, App Security, Key Vault)

It costs $165 to Pearson Vue, less if you’re a certified trainer or in the esi.microsoft.com/getcertification, which has practice tests from MeasureUp.

Prequisite is certification as either:

or

Microsoft’s learning paths for AZ-500 :

  1. Secure your cloud applications in Azure 6 Modules - 5 hr 36 min
    1. Microsoft Azure Well-Architected Framework - Security - 1 hr 2 min
    2. Top 5 security items to consider before pushing to production - 45 min
    3. Create security baselines - 1 hr
    4. Manage secrets in your server apps with Azure Key Vault - 46 min
    5. Secure an ASP.NET Core web app with the Identity framework - 1 hr 8 min
    6. Control authentication for your APIs with Azure API Management - 55 min

  2. Implement resource management security in Azure 6 Modules - 3 hr 27 min
    1. Protect against security threats on Azure - 25 min
    2. Build a cloud governance strategy on Azure - 48 min
    3. Control and organize Azure resources with Azure Resource Manager - 46 min
    4. Secure your Azure resources with Azure role-based access control (Azure RBAC) - 37 min
    5. Manage access to an Azure subscription by using Azure role-based access control (Azure RBAC) - 21 min
    6. Create custom roles for Azure resources with role-based access control (RBAC) - 30 min

  3. Implement network security in Azure 5 Modules - 5 hr 8 min
    1. Secure network connectivity on Azure - 32 min
    2. Configure the network for your virtual machines - 1 hr 34 min
    3. Secure and isolate access to Azure resources by using network security groups and service endpoints - 43 min
    4. Encrypt network traffic end to end with Azure Application Gateway - 1 hr 17 min
    5. Monitor and troubleshoot your end-to-end Azure network infrastructure by using network monitoring tools - 1 hr 2 min

  4. Implement virtual machine host security in Azure 6 Modules - 6 hr 4 min
    1. Microsoft Azure Well-Architected Framework - Security - 1 hr 2 min
    2. Create security baselines - 1 hr
    3. Create a Linux virtual machine in Azure - 1 hr 26 min
    4. Create a Windows virtual machine in Azure - 51 min
    5. Secure your Azure virtual machine disks - 1 hr 1 min
    6. Protect your servers and VMs from brute-force and malware attacks with Azure Security Center - 44 min

  5. Manage identity and access in Azure Active Directory 9 Modules - 5 hr 17 min
    1. Protect against security threats on Azure - 25 min
    2. Create an Azure account - 39 min
    3. Manage users and groups in Azure Active Directory - 50 min
    4. Create Azure users and groups in Azure Active Directory - 41 min
    5. Secure your application by using OpenID Connect and Azure AD - 50 min
    6. Secure Azure Active Directory users with Multi-Factor Authentication - 38 min
    7. Manage device identity with Azure AD join and Enterprise State Roaming - 25 min
    8. Allow users to reset their password with Azure Active Directory self-service password reset - 31 min
    9. Add custom domain name to Azure Active Directory - 18 min

  6. Manage security operations in Azure 8 Modules - 6 hr
    1. Protect against security threats on Azure - 25 min of tailwindtraders.com. Its security posture is monitored using Azure Security Center adaptive application controls to define rules for secure score. Azure Logic Apps and Security Center connectors. Azure Sentinel SIEM using Common Event Format (CEF) messaging standard, Syslog, or REST API.
    2. Create security baselines - 1 hr
    3. Identify security threats with Azure Security Center - 43 min
    4. Resolve security threats with Azure Security Center - 44 min
    5. Protect your servers and VMs from brute-force and malware attacks with Azure Security Center - 44 min Security Center uses network security group (NSG) rules to restrict access to management ports when not in use.
    6. Analyze your Azure infrastructure by using Azure Monitor logs - 36 min
    7. Improve incident response with alerting on Azure - 53 min
    8. Capture Web Application Logs with App Service Diagnostics Logging - 55 min

https://microsoft.github.io/AzureTipsAndTricks/

https://cloudacademy.com/learning-paths/az-500-exam-preparation-microsoft-azure-security-technologies-650/

VIDEO: DOCS: Microsoft Threat Modeling Tool

Well Architected Framework

The Microsoft Azure Well-Architecture Framework 5 pillars are the same as Amazon’s:

Peter Zerger (@pzerger) :

CloudAcademy.com 16h video series by Thomas Mitchell

McK Udemy.com “updated 2020” 15.5h videos by Alan Anthony Rodrigues

Other videos:

Google

Google Professional Cloud Security Engineer, for $200 for 50 questions in 120 minutes, will have obtained the skills to “enable organizations to design and implement a secure infrastructure on Google Cloud Platform. Through an understanding of security best practices and industry security requirements, this individual designs, develops, and manages a secure infrastructure leveraging Google security technologies. Topics and skills:

SAP

First, memorize SAP Acronyms using my flashcards on Quizlet.com

SAP has two levels of certifications for Security pros. Both costs $242 USD to answer 65% of 80 multiple-choice questions in 3 hours.

Elsewhere:

Secure Coding

CodeBashing.com (by security tools vendor Checkmarx) has gamified tutorials on identifying and mitgating vulnerabilities in code for many languages: Hacking Headlines, Source Code (for each language): Android (Java), iOS, C/C++, C# .NET, .NET Backend, .NET Advanced, Go, Java, Java Backend, Java Advanced, Scala NodeJS, PHP, Python Django, Ruby on Rails,

Networking (Firewall) certs

Network software vendors have affordable certifications:

Palo Alto Networks

Palo Alto Networks is among the largest and most prestigeous vendors (with Cicso, etc.)

Palo Alto Networks Cybersecurity Apprentice

Palo Alto Networks Certified Network Security Generalist

Palo-Alto-Certs-722x434.png
[Credly, Community, Labs, FUEL user group virtual labs 4 hours at a time, PearsonVue]

Prisma Cloud, Prisma Cloud Enterprise, and Prisma Cloud Compute

https://www.checkpoint.com/certifications FAQ

Qualys

Linkedin lists the Foster City, CA Computer and Network Security company as having less than 5,000 employees (58% rating)

Qualys provides free tutorials and free certifications on each of their products, with free cloud time:

  1. Cloud Security Assessment and Response
  2. Endpoint Detection and Response (Secure Endpoints)
  3. API Fundamentals
  4. Cloud Agents
  5. Container Security
  6. File Integrity Monitoring
  7. Web Application Scanning
  8. CyberSecurity Asset Management (CSAM)
  9. Vulnerability Management (Foundation, Detection, and Response)
    • Global Asset View and Management
    • Scanning Strategies
    • Reporting Strategies
    • Patch Management
  10. Policy Compliance (Foundation & Deeper Knowledge)
  11. PCI Compliance (Foundation & Deeper Knowledge)
  12. Endpoint Detection and Response (Foundation & Deeper Knowledge)

Videos are served via Vimeo.

TCM Academy

TCM Academy is a for-profit entity which makes money by providing both training and certification on generic security topics, from $24.99/month, plus the cost of online certification exams:

Entry-Level Certifications:

Intermediate-Level Certifications:

OSIP (Open Source Intelligence Professional)

The OSIP (Open Source Intelligence Professional) Certification on OSINT (Open Source Intelligence) by inteltechniques.net is offered for $300 or $949 which includes their $649/year videos and 600+ page pdf.

It’s by Michael Bazzell, blogger. Previously FBI, Technical Advisor/Writer for the television show Mr. Robot and host to the now-defunct podcast inteltechniques.com

LoRaWAN TheThingNetwork

https://www.thethingsnetwork.org/docs/lorawan/the-things-certified-security/

References

On Udemy: McK Security Product Lifecycle 101 (SPLC) by Implementing Security. Voiced by an enthusiastic voice pro. References SAMM 2.0, OWASP Top 10.

Podcast: Evan Francen’s Unsecurity

TOP 5 Cyber Security Projects to go on Your Resume! by Josh Madakor

Azure Service Operator (ASO) Fabrikam Fabric Store

ACE-T (Antisyphon Cyber Education Testing) certification is obtained by completing challenges in the hands-on Antisyphon Cyber Range that accompany $295/6 month classes. Challenges covered by on-line courses include cryptography, forensics, penetration testing, reconnaissance, reverse engineering, threat hunting, and web exploitation. lookup

Movies

https://www.magellantv.com/series/secret-wars

CGLCP

CGLCP (Certified GenAI and LLM Cybersecurity Professional) is designed to equip cybersecurity professionals with the knowledge and skills to secure and manage generative AI and large language models. The program covers the risks, threat mitigation strategies, and ethical considerations associated with these advanced AI technologies.

The course focuses on the NICE Framework Task, Knowledge, and Skill statements identified within NICE Framework component(s).

More on Security

This is one of a series on Security and DevSecOps:

  1. Security actions for teamwork and SLSA

  2. DevSecOps

  3. Code Signing on macOS

  4. Transport Layer Security

  5. Git Signing
  6. GitHub Data Security

  7. Encrypt all the things

  8. Azure Security-focus Cloud Onramp

  9. Azure Networking

  10. AWS Onboarding
  11. AWS Security (certification exam)
  12. AWS IAM (Identity and Access Management)

  13. AWS Networking

  14. SIEM (Security Information and Event Management)
  15. Intrusion Detection Systems (Goolge/Palo Alto)

  16. Chaos Engineering

  17. SOC2
  18. FedRAMP

  19. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  20. AKeyless cloud vault
  21. Hashicorp Vault
  22. Hashicorp Terraform

  23. OPA (Open Policy Agent)

  24. SonarQube
  25. WebGoat known insecure PHP app and vulnerability scanners

  26. Test for OWASP using ZAP on the Broken Web App

  27. Security certifications

  28. Details about Cyber Security

  29. Quantum Supremecy can break encryption in minutes
  30. Pen Testing

  31. Kali Linux

  32. Threat Modeling
  33. WebGoat (deliberately insecure Java app)